CENTOS6 上有两个 ISP 互联网连接。无法在客户端上 ping 通

tag-icon tag-icon centos routing load-balancing failover iproute
CENTOS6 上有两个 ISP 互联网连接。无法在客户端上 ping 通

我有两个互联网连接,来自两个不同的 ISP,我需要在这两个 ISP 之间为我的本地网络提供故障转移主机。我使用的是 CentOS6。

eth0 – ISP 1
eth1 – ISP 2
eth2 – 本地网络接口

配置:
eth0

DEVICE=eth0
TYPE=Ethernet
ONBOOT=yes
NM_CONTROLLED=no
BOOTPROTO=none
HWADDR=00:15:5D:AA:AD:A6
IPADDR=12.12.12.226
DNS1=202.119.32.5
DNS2=202.119.32.9
NAME="System eth0"
NETMASK=255.255.255.248
USERCTL=no

eth1

DEVICE=eth1
TYPE=Ethernet
ONBOOT=yes
NM_CONTROLLED=no
BOOTPROTO=none
HWADDR=00:15:5D:AA:AD:A7
IPADDR=11.11.11.115
DNS1=198.169.104.130
NAME="System eth1"
NETMASK=255.255.255.240
USERCTL=no

eth2

DEVICE=eth2
TYPE=Ethernet
ONBOOT=yes
NM_CONTROLLED=no
BOOTPROTO=none
HWADDR=00:15:5D:AA:AD:A8
IPADDR=192.168.110.181
NAME="System eth2"
NETMASK=255.255.255.0
USERCTL=no

路由-eth0

12.12.12.224/29 dev eth0 table vega
###
12.12.12.224/29 dev eth0 src 12.12.12.226
###
12.12.12.224/29 dev eth0 src 12.12.12.226 table kyivstar
default via 12.12.12.225 table kyivstar

route-eth1. 其中两个ISP的接口路由范围。

11.11.11.112/28 dev eth1 table kyivstar
###
11.11.11.112/28 dev eth1 src 11.11.11.115
###
11.11.11.112/28 dev eth1 src 11.11.11.115 table vega
default via 11.11.11.113 table vega
#need, because after network servicerestart, default scope are fallen
default scope global nexthop via 12.12.12.225 dev eth0 weight 4 nexthop via 11.11.11.113 dev eth1 weight 1

route-eth2(本地网络):

192.168.110.0/24 dev eth2 table kyivstar
192.168.110.0/24 dev eth2 table vega

规则-eth0:

from 12.12.12.226 lookup kyivstar

规则-eth1:

from 11.11.11.115 lookup vega

我的 rt_tables:

#
# reserved values
#
255     local
254     main
253     default
0       unspec
#
# local
#
#1      inr.ruhep

1       kyivstar
2       vega

接下来是我的 iptables 脚本:

#!/bin/bash

IPTABLES="/sbin/iptables"

$IPTABLES -F
$IPTABLES -t nat -F
$IPTABLES -t mangle -F

$IPTABLES -X
$IPTABLES -t nat -X
$IPTABLES -t mangle -X

/sbin/modprobe ip_tables
/sbin/modprobe ip_conntrack
/sbin/modprobe iptable_filter
/sbin/modprobe iptable_mangle
/sbin/modprobe iptable_nat
/sbin/modprobe ipt_LOG
/sbin/modprobe ipt_limit
/sbin/modprobe ipt_state
/sbin/modprobe ipt_owner
/sbin/modprobe ipt_REJECT
/sbin/modprobe ipt_MASQUERADE
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_conntrack_irc
/sbin/modprobe ip_nat_ftp
/sbin/modprobe ip_nat_irc
/sbin/modprobe ip_gre
/sbin/modprobe ip_nat_pptp

$IPTABLES -A FORWARD -i eth2 -j ACCEPT
$IPTABLES -t nat -A POSTROUTING -o eth0 -j MASQUERADE
$IPTABLES -t nat -A POSTROUTING -o eth1 -j MASQUERADE

最后我的故障转移脚本:

#!/bin/bash

# Conventionally 0 indicates success in this script.

# Time between checks in seconds
SLEEPTIME=10

#IP Address or domain name to ping. The script relies on the domain being
#pingable and always available
TESTIP=8.8.8.8

#Ping timeout in seconds
TIMEOUT=2

# External interfaces
EXTIF1=eth0
EXTIF2=eth1

#IP address of external interfaces. This is not the gateway address.
IP1=`ifconfig $EXTIF1 | grep 'inet addr:' | cut -d: -f2 | awk '{ print $1}'`
IP2=`ifconfig $EXTIF2 | grep 'inet addr:' | cut -d: -f2 | awk '{ print $1}'`

#Gateway IP addresses. This is the first (hop) gateway, could be your router IP
#address if it has been configured as the gateway
GW1=`sipcalc $EXTIF1 | grep -w 'Usable range' | awk '{ print $4 }'`
GW2=`sipcalc $EXTIF2 | grep -w 'Usable range' | awk '{ print $4 }'`

# Relative weights of routes. Keep this to a low integer value. I am using 4
# for TATA connection because it is 4 times faster
W1=4
W2=1

# Broadband providers name; use your own names here.
NAME1=kyivstar
NAME2=vega

#No of repeats of success or failure before changing status of connection
SUCCESSREPEATCOUNT=4
FAILUREREPEATCOUNT=1

# Do not change anything below this line

# Last link status indicates the macro status of the link we determined. This is down initially to force routing change upfront. Don't change these values.
LLS1=1
LLS2=1

# Last ping status. Don't change these values.
LPS1=1
LPS2=1

# Current ping status. Don't change these values.
CPS1=1
CPS2=1

# Change link status indicates that the link needs to be changed. Don't change these values.

CLS1=1
CLS2=1

# Count of repeated up status or down status. Don't change these values.
COUNT1=0
COUNT2=0

# Log file
CHECKGATEWAYLOG=/termolife/gwping_status

while : ; do
        ping -W $TIMEOUT -I $IP1 -c 1 $TESTIP > /dev/null  2>&1
        RETVAL=$?

        if [ $RETVAL -ne 0 ]; then
                echo $(date) "______" $NAME1 Down >> $CHECKGATEWAYLOG
                CPS1=1
        else
                CPS1=0
        fi

        if [ $LPS1 -ne $CPS1 ]; then
                echo $(date) "______" Ping status changed for $NAME1 from $LPS1 to $CPS1 >> $CHECKGATEWAYLOG
                COUNT1=1
        else
                if [ $LPS1 -ne $LLS1 ]; then
                        COUNT1=`expr $COUNT1 + 1`
                fi
        fi

        if [[ $COUNT1 -ge $SUCCESSREPEATCOUNT || ($LLS1 -eq 0 && $COUNT1 -ge $FAILUREREPEATCOUNT) ]]; then
                echo $(date) "______" Uptime status will be changed for $NAME1 from $LLS1 >> $CHECKGATEWAYLOG
                CLS1=0
                COUNT1=0
                if [ $LLS1 -eq 1 ]; then
                        LLS1=0
                else
                        LLS1=1
                fi
        else
                CLS1=1
        fi

        LPS1=$CPS1

        ping -W $TIMEOUT -I $IP2 -c 1 $TESTIP > /dev/null  2>&1
        RETVAL=$?

        if [ $RETVAL -ne 0 ]; then
                echo $(date) "______" $NAME2 Down >> $CHECKGATEWAYLOG
                CPS2=1
        else
                CPS2=0
        fi

        if [ $LPS2 -ne $CPS2 ]; then
                echo $(date) "______" Ping status changed for $NAME2 from $LPS2 to $CPS2 >> $CHECKGATEWAYLOG
                COUNT2=1
        else
                if [ $LPS2 -ne $LLS2 ]; then
                        COUNT2=`expr $COUNT2 + 1`
                fi
        fi

        if [[ $COUNT2 -ge $SUCCESSREPEATCOUNT || ($LLS2 -eq 0 && $COUNT2 -ge $FAILUREREPEATCOUNT) ]]; then
                echo $(date) "______" Uptime status will be changed for $NAME2 from $LLS2 >> $CHECKGATEWAYLOG
                CLS2=0
                COUNT2=0
                if [ $LLS2 -eq 1 ]; then
                        LLS2=0
                else
                        LLS2=1
                fi
        else
                CLS2=1
        fi

        LPS2=$CPS2

        if [[ $CLS1 -eq 0 || $CLS2 -eq 0 ]]; then
                if [[ $LLS1 -eq 1 && $LLS2 -eq 0 ]]; then
                       ip route flush cache
                        echo $(date) "______" Switching to $NAME2 >> $CHECKGATEWAYLOG
                        ip route replace default scope global via $GW2 dev $EXTIF2
                        ip route show | awk '{print}' | grep 'eth0\|eth1' >> $CHECKGATEWAYLOG
                elif [[ $LLS1 -eq 0 && $LLS2 -eq 1 ]]; then
                       ip route flush cache
                        echo $(date) "______" Switching to $NAME1 >> $CHECKGATEWAYLOG
                        ip route replace default scope global via $GW1 dev $EXTIF1
                        ip route show | awk '{print}' | grep 'eth0\|eth1' >> $CHECKGATEWAYLOG
                elif [[ $LLS1 -eq 0 && $LLS2 -eq 0 ]]; then
                       ip route flush cache
                        echo $(date) "______" Restoring default load balancing >> $CHECKGATEWAYLOG
                        ip route replace default scope global nexthop via $GW1 dev $EXTIF1 weight $W1 nexthop via $GW2 dev $EXTIF2 weight $W2
                        ip route show | awk '{print}' | grep 'eth0\|eth1' >> $CHECKGATEWAYLOG
                fi
        fi
        sleep $SLEEPTIME
done

一切正常,当 ISP kyivstar 瘫痪时,我的默认路由在 ISP vega 上发生了更改。但是,在客户端(Windows 7)上,当我检查 ping(ping gmail.com -t)并关闭 ISP kyivstart 时,我发现数据包丢失了。但是,当我在其他主机上检查 ping(ping facebook.com)时,我看到所有数据包都已送达。
当我在 Windows 客户端上检查“tracert”时,我看到数据包通过网关 ISP kyivstar,但没有通过 ISP vega。在主机(服务器)上的路由表中,我看到 ISP vega 上的默认网关已更改。如果我在主机(服务器)上检查 ping,所有数据包都发送到网关 ISP vega。

我在 Google 上看到,问题出在路由缓存上。好的。

我在 sysctl.conf 中输入:

sysctl -w net.ipv4.route.secret_interval=0

但是,它帮不了我。如何解决这个问题?感谢您的关注。

相关内容